Incident Response > [T3]: Lab - Sysmon: EventTypes and custom config
Sysmon EventTypes and write a sample custom config
Sysmon comes with different types of
Events, and each of those events has its unique EventID, which
will appear in the EventLog in case EventType is set to log.
Here is a list of EventTypes and the corresponding EventIDs that
Sysmon provides.
|
EventType
|
EventId
|
|---|---|
|
Sysmon Service Status Changed
|
0
|
|
Process creation
|
1
|
|
A process changed a file creation time
|
2
|
|
Network connection
|
3
|
|
Sysmon service state changed
|
4
|
|
Process terminated
|
5
|
|
Driver loaded
|
6
|
|
Image loaded
|
7
|
|
CreateRemoteThread
|
8
|
|
RawAccessRead
|
9
|
|
ProcessAccess
|
10
|
|
FileCreate
|
11
|
|
RegistryEvent (Object create and delete)
|
12
|
|
RegistryEvent (Value Set)
|
13
|
|
RegistryEvent (Key and Value Rename)
|
14
|
|
FileCreateStreamHash
|
15
|
|
ServiceConfigurationChange
|
16
|
|
PipeEvent (Pipe Created)
|
17
|
|
PipeEvent (Pipe Connected)
|
18
|
|
WmiEvent (WmiEventFilter activity detected)
|
19
|
|
WmiEvent (WmiEventConsumer activity detected)
|
20
|
|
WmiEvent (WmiEventConsumerToFilter activity
detected)
|
21
|
|
DNSEvent (DNS query)
|
22
|
|
FileDelete (File Delete archived)
|
23
|
|
ClipboardChange (New content in the clipboard)
|
24
|
|
ProcessTampering (Process image change)
|
25
|
|
FileDeleteDetected (File Delete logged)
|
26
|
|
FileBlockExecutable
|
27
|
|
FileBlockShredding
|
28
|
|
Error
|
255
|
So let us create a rule that detects an attacker trying to enumerate the system using lolbins. We will be looking at cmd or PowerShell executing one of the following commands:
- whoami
- net
- ipconfig
- The schema version needs to be defined.
- The EventType needs to be set.
- The groupRelation needs to be set.
- The rule name is an optional attribute.
- The conditions need to be set.
So in the above example, to translate it to a human-readable
language - log any execution when the parent process contains
either cmd.exe or powershell.exe, and the command line contains
either whoami, net, or ipconfig.
- Head where Sysmon directory is located cd C:\Sysmon
- Place the config file in a file named processcreate.rule
- Open your PowerShell as an administrator.
- Update Sysmon config .\Sysmon.exe -c .\processcreate.rule
To test your config file, clear the Sysmon event logs, open cmd.exe, and run the whoami command.
As you can see in the above screenshot:
- EventID is set to 1, the correct value for the EventType ProcessCreate.
- The rule name is set to System enumeration as we previously defined it in the config file.
- The parent image contains cmd.exe at the end of it.
- The CommandLine has the value whoami.